VS Code false extension takes advantage of Moltbot to distribute malware and establish persistent remote access

The security community has identified a campaign that took advantage of Moltbot's popularity to distribute malware through a fraudulent extension in the Visual Studio Code Marketing. Aikido researchers published a detailed analysis describing how the extension, posing as an IA-based programming assistant for Moltbot, was uploaded on January 27, 2026 by a user called "clawdbot" and then removed by Microsoft. You can read the technical report on Aikido's blog for more technical and observable details: https: / / www.aikido.dev / blog / fake-clawdbot-vscode-extension-malware.

It is important to stress that Moltbot, the open source project created by Peter Steinberger and that he has won a huge traction in GitHub, does not offer an official extension for VS Code. The project allows you to run LLMs-based personal assistants on your own device and connect them to platforms such as WhatsApp, Telegram, Slack, Discord or Microsoft Teams, among others. If you want to check the origin and status of the project, its repository and the official page are available at GitHub and molt.bot.

According to technical analysis, the malicious extension was designed to run automatically at the start of the IDE. His code sought a remote configuration file ("config.json") hosted in a domain controlled by the attacker and, from that configuration, downloaded and executed a binary called "Code.exe." This executable was not a simple adware: it deployed a genuine remote access client (ConnectWise ScreenConnect) preconfigured to communicate with the attacker's infrastructure, allowing persistent access to the committed team.

The campaign authors added redundancy to their delivery mechanism: the extension could download a DLL (identified as "DWrite.dll") and perform a sideload to get the same payload from Dropbox if the main infrastructure was no longer available. In addition, the code included encoded URLs and an alternative batch script that recovered the components from another domain, thus increasing the resilience of the attack against blockages or replacements.

In the words of the researchers, the attackers mounted their own relay server for ScreenConnect and generated client installers already configured, so that the victim, when installing the extension, ended up with a remote management client who immediately "called home." The Aikido analysis describes this flow step by step and provides compromise indicators and observed domains: technical detail.

Beyond this specific campaign, risks inherent in the Moltbot ecosystem arise when safe settings are not adopted by default. The researcher Jamieson O'Reilly (founder of Dvuln) detected hundreds of accessible Moltbot instances without authentication, exposing configurations, API keys, OAuth credentials and private conversation records. O'Reilly has warned in networks that these agents can act on behalf of their operators on multiple platforms, run tools and send messages, which amplifies the abuse potential if a malicious actor takes control: statements and examples.

There is also a danger that malicious skills (skills) will be introduced in community repositories such as MoltHub, which facilitates supply chain attacks: a committed skill can be distributed and deployed in legitimate instances, exfiltering data or using it to supplant the identity of the agent in the face of reliable contacts. MoltHub (formerly ClawdHub) and similar are vectors to monitor if their use in productive environments is not controlled: MoltHub.

Security companies such as Intruder have provided complementary analysis, noting that the Moltbot architecture favours the ease of deployment above secure settings by default. This allows non-expert users to mount instances and connect sensitive services without validations, mandatory firewalls or unreliable plugin insulation. Intruder has also documented findings of misconfigurations, credentials exposure and injection vulnerabilities in prompts, a type of attack that is already being widely studied by the community: Intruder report and context on prompt injection in the IEEE Spectrum: https: / / spectrum.ieee.org / prompt-injection-attack.

If you administer or use Moltbot, or simply work with VS Code in environments where secrets or remote access are handled, immediate action should be taken. Audit the configuration of the Moltbot gateway, revoke connected integrations that are not essential, rotate exposed keys and apply network controls to limit unauthorized outgoing communications are steps that many experts recommend. The project documentation itself includes safety guidelines that should be reviewed: https: / / docs.molt.bot / gateway / security.

On the practical level, it is appropriate to verify the extensions installed in VS Code and remove any suspicious or unofficial supplements, to search for unexpected processes and binaries (e.g. "Code.exe" or other related to ScreenConnect customers) and to analyse network traffic in search of connections to unusual domains. In addition, scanning with antivirus / EDR tools, log review and, if appropriate, forensic analysis are recommended to determine the scope of a possible intrusion.

This campaign is a clear reminder that the combination between the popularity of open tools and the ease of deploying extensions or supplements creates opportunities for malicious actors. Security in development environments cannot be assumed: requires good practice, secure configuration and constant monitoring so that tools that promise productivity do not end up opening the door to an unauthorized remote access.